Critical Governance Part 2

Don’t make the mistake of thinking that you have to be Sony pictures to be exposed to a cyber risk! Do you recall the group calling itself Guardians of Peace (GOP) and demanding that Sony’s controversial North Korean comedy The Interview be pulled from release?

“The FBI Director, James Comey, has stood by the Bureau’s conclusion that the North Korean government was responsible for the mammoth computer hack on Sony pictures, saying the hackers; “got sloppy” and allowed their location to be identified on a number of occasions.” Guardian Online

You could be exposed to a cyber attack for direct financial gain or non-financial reasons like stealing data or know how or to cause reputational damage or ridicule. Fraud continues to be a major threat to UK business but the nature of such crime is changing. As essential business processes and functions are increasingly facilitated via digital systems and as business records are increasingly kept electronically, with the proliferation of mobile technology and the increase in online business usage, businesses need to be prepared to match their investment in digital technology with the required investment in the appropriate level of IT security.

As a board member you need to be aware of the impact of the technology era, that we find ourselves in and the concept of ‘Cyber Risk’ is just one of the 7 Digital Disruption Demands (DDD) that I want to share with you. It is not just the capability of modern equipment and software, but also its availability and the fact that it is portable. I would suggest that you take each DDD and ensure that your board has considered the implications, associated risks and plans for dealing with the items highlighted. But before we consider them, I would encourage you to ensure that you are comfortable with the answer to the following three questions:

1. Is your organisation’s technology strategy integrated with your corporate strategy?
2. Does your organisation have a disaster recovery plan and is it prepared for the impact of failure in technology?
3. Do you have a plan for how your organisation will enhance its performance by maximising its technology capabilities?

These 3 questions and other similar questions should be on your board agenda at some stage in your forward plan of board meetings and all boards need to ensure that they are aware of the impact of digital disruption. So now let’s look at the specific (DDD) areas that you should focus on.

• Rate of change – It is because of the rate of change of new technologies and the speed at which expertise in this area becomes outdated that boards need to be digitally aware. Boards need to get assurance that their technology is indeed sufficient to deal with the demands of the organisation, the threat of cyber attack and how it benchmarks against peers, competitors and the supply chain. They should ensure that the Chief Information Officer or equivalent is up to date with current thinking and has a plan for staff that keeps them on a cycle of learning and development.

 

• Customer Experience – Technology has transformed the customer experience in all sectors and, even if the sector you operate in hasn’t caught up yet, you will be impacted. If your customers are used to a level of service in other areas of their life they will come to expect it in all areas. Boards need to consider how they are able to ensure that digital inclusion translates into an enhanced experience for your customers. Each organisation should be seeking to ‘disrupt’ current service provision by the application of appropriate technology for the benefit of customers.

 

• Service Delivery – The way services are delivered has been completely overhauled in many businesses, so isn’t it time to get your organisation onto modern platforms? The use of tablets, cloud technology and the relatively inexpensive costs of either accessing mobile phone applications or developing them should help your organisation to deliver services in a more effective way.

 

• Social Media – Technology has transformed the speed, spread and nature of communication. Brand impairment and reputational risk should be as much a part of the board discussions as developing market profile and presence.

 

• Cyber Risk –  Organisations need to learn to view the world from a cyber perspective and understand that ‘Cyber Risk’ is never a matter just for the IT team. Since 1 October 2014, the government has required all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials Scheme. Even if you are not bidding for these contracts why not consider the guidance provided by its ‘10 Steps to Cyber Security’ available here: https://www.gov.uk/government/publications/10-steps-to-cyber-security-advice-sheets.

 

• Data Analysis – The collection, storage, interpretation and use of data is a key tool for every board. Key Performance indicators should be developed in order to measure, monitor and control value added activities, health and safety aspects as well as financial and operating performance. The availability of relevant corporate data is a prerequisite for board members carrying out their role.

 

• Data Security – Breaching data security protocols can lead to legal consequences for your organisation. These include enforcement action from the Information Commissioner’s Office under the UK’s existing Data Protection Act 1998. There are many recent examples in both the private and public sectors of organisations falling foul of losing customer or personal information.

 

In conclusion, you may want to consider how knowledgeable you are as a board about *digital technologies. Do you understand the risks and implications of digital disruption and what plans you have to mitigate them? Have you spent enough time ensuring that you have considered the opportunities available to you by embracing the digital revolution? With the pace of change in your sector, are you confident that you have staff who are up to date and knowledgeable, software that is integrated, secure and at the cutting edge. Is it time to consider refreshing the membership of your board to ensure that there is at least one member with relevant, recent technology experience?

 

 

Until next time…

 

*Digital technologies –  cloud, social media, mobile, board portals, applications